Executives at AT&T, Cisco, Palo Alto Networks, and Altiostar claim an ongoing effort to disaggregate hardware from software and break code down further into more focused functions and workloads will eventually increase the security stature of mobile networks.
“Just because you turn off the lights doesn’t mean the cockroaches aren’t there. You just can’t see them,” Bob Everson, senior director of 5G architecture at Cisco, said during a virtual panel on security in open radio access network (RAN) infrastructure.
“When you’re dealing with a closed system, I think there’s this belief that inherently in a closed system everything’s just magically secure inside it, and it’s not necessarily the case,” he said.
“What we’ve seen over history is with open interfaces, when you expose the interfaces to more assessment and scrutiny and you get this openness, it drives actually more inherent security.”
Improved security in 5G open RAN frameworks isn’t automatic. It takes work, but that work is underway, Everson explained.
“Ultimately we are going to end up with a better, secure system, and one that has better visibility for operators and for everybody else to be assured that we have the right level of security.”
Open RAN Gets Strength From Software
Amy Zwarico, director of cybersecurity at AT&T, noted it’s important to remember that most of the technology wrapped into 5G and open RAN is realized in software — not hardware.
“It’s way easier for me to upgrade software than it is hardware. As my vendors innovate and come up with new security solutions, come up with more efficient solutions, I can adopt this very rapidly.
I don’t have to wait to get my return on investment on a piece of hardware that was delivered on a loading dock,” she said.
RELATED: Critical Flaws Identified In Cisco SDN Hardware
“I can get a new container from them, and I can deploy that into a Kubernetes environment, and all of a sudden I get a whole lot more benefit,” Zwarico explained, adding that those changes allow operators to “move a lot more rapidly than in the past.”
Multiple architectural changes improve the security stature of mobile networks in 5G open RAN, including service-based architecture in the 5G core, and splitting baseband processing into a distributed unit (DU) and central unit (CU), explained Nagendra Bykampadi, director of security product management at Altiostar.
Converting nodes into network functions that can be programmed via APIs enables security, which is traditionally addressed at the IP layer, to be managed at the transport and application layers, he added.
“With the advent of service-based architecture you are currently implementing zero trust where these network functions are responsible for authenticating other network functions.”
Moreover, the DU and CU baseband processing split, a critical feature that allowed for the rise of open RAN, moves sensitive data and functions away from the cell site in traditional network infrastructure and pushes those into the backend of data centers, Bykampadi explained.
Zero Trust Enters 5G Via Open Interfaces
Dan Beaman, global director 5G security at Palo Alto Networks, underlined that point, noting that open architecture and interfaces paired with cloud-based functions running at the edge, allow operators to introduce the security concept of zero-trust and better isolate traffic within the network.
“You can really see a lot more of what’s going on in that traffic in a 5G network environment,” he said on the virtual panel organized by the Open RAN Policy Coalition.
Beaman also addressed the suggestion that open systems make attacks easier, claiming that including more security vendors and more technologies adequately offsets that concern.
“It makes it harder, not easier, because you’re going to introduce new technology vendors that are going to be able to be at the actual edge in the open RAN system,” he said.
“In a closed ecosystem you can hide around or maybe not necessarily apply the same security policies that you would have had in a full 5G environment with open RAN.”
Open RAN doesn’t completely solve security challenges and vulnerabilities in mobile networks, but it does allow operators to detect threats and react sooner, according to Bykampadi.
“The more interfaces you have, there’s always a perception, and rightfully so, that the attack surface has increased,” he said.
“There are obviously vulnerabilities and attack surfaces that we need to address, no doubt about it, but with the cloudification now coming into the RAN space, as it was earlier in the core, and this whole softwareization that is happening for all this baseband software, I think there is a better chance that you may be able to detect and manage these attacks.”
The O-RAN Alliance’s Security Focus Group, which Bykampadi co-chairs, is assessing vulnerabilities in multiple interfaces, including the management plane and RAN intelligent controller (RIC) to ensure the right level of authentication is adhered to throughout the network.
Openness Narrows Threat Landscape
The RIC is of special importance because it allows operators to move more attack detection close to the edge of the network, Zwarico explained.
“Being able to move all that type of analytics up front to be able to detect things rapidly, I don’t have to wait until it’s back in my core, I catch it at the edge and it makes my core more secure,” she said.
These structural changes in open RAN could also potentially allow operators to better secure networks at lower costs, according to Everson.
“By moving things out to the edge you lower the threat domain by narrowing down and capturing things earlier, and you can focus the security to the right solution for the right problem,” he said.
“We have to remember that this is running on IP infrastructure that has been hardened over decades of security assessment and hardening.
It’s running on cloud software, container systems, and systems that are proven in large-scale systems that are tested all over the world and are arguably the most exposed systems out there,” Everson added.
Zwarico dug into that theme too, noting that “the standards become the foundation of security in open RAN, but not from a sense of what open RAN is defining itself, but rather that we’re building on existing security standards that have been baked and hardened for the last 20 years. We’re not trying to re-solve a problem.”
The O-RAN Alliance publishes new standards about three times a year, but “because it’s in software, vendors can make changes and it’s disaggregated so they’re not having to send me an entire stack,” Zwarico added.
“They can react very rapidly to changes in the standards and that’s something we really haven’t had before in the telecom space because it’s been so tightly tied to closed systems and to very hardware-based systems.”
